DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1, 4, 13, and 18 are amended.
Claims 1-20 are pending.
Response to Arguments
Applicant’s argument filed 03/26/2021 have been fully considered.
Applicant’s arguments with respect to Independent claim(s) 1, 8, and 18 along with their respective dependent claims have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 6-8, 13-15, and 18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nayshtut et al. (US 20130339736 hereinafter Nayshtut) in view of Eyal (US 20170026840) and in further view of Ziskin (US 20170063947).
Re. claim 1, Nayshtut teaches a computer program product comprising a non-transitory computer-readable medium embodying computer-executable code that, when executing on an authentication service accessible through a data network, performs the steps of: receiving a heartbeat from an endpoint through a data network, wherein the heartbeat includes a security status indicating a state of compromise of the endpoint and wherein the heartbeat is cryptographically secured by the endpoint to permit verification of a source of the heartbeat with reference to a trusted third party (Nayshtut teaches the server 120 periodically validating the identity of the client 102 by requiring the client 102 to generate and provide a periodic signed client-heartbeat message that the server 120 can use to verify that the identity of the client 102 has not been compromised [0014]. Heartbeat is received and accepted [0023] Fig. 1 discloses network #130); receiving a request from the endpoint for a token suitable for authenticating a user of the endpoint to a secure service accessible by the endpoint through the data network (Nayshtut teaches validation can be accomplished using a client certificate that can be requested from the client 102, or through the use of a trusted directory or certificate authentication service to confirm the identity of the client 102 for the server 120 [0013]. client and create a session ID and token (e.g., a secure cookie for use with an encrypted session). Upon successful identification of the client by the server, at 204 the client may receive an indication that a session was successfully established [0017]). 
Although Nayshtut discloses heartbeat, Nayshtut does not explicitly disclose but Eyal discloses evaluating a health status of the endpoint based on the heartbeat (Eyal teaches determines that the heartbeat token 40 is valid at block 111, it will then check the OS status message 42 at block 113. In some embodiments, the OS status message 42 may consist of a single bit. For example, a value of `0` may indicate that the operating system 28 is unmodified (i.e., the status is `OK`), while a value of `1` may indicate that the operating system 28 has been modified [0023]); generating the token if the health status of the endpoint is satisfactory (Eyal teaches the heartbeat token 40 includes the OS status message 42. The OS status message 42 indicates whether the operating system 28 has been modified [0018]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Eyal into the invention of Nayshtut for the purpose of guard against a replay attack (Eyal [0022]).
Although Nayshtut-Eyal discloses token and heartbeat including the health status of the endpoint, Nayshtut-Eyal do not explicitly disclose but Ziskin discloses transmitting information for verifying the token derived from the heartbeat including the health status of the endpoint to an access control system for accessing the secure service (Ziskin teaches receive the authentication token and decrypt the authentication token as part of the heartbeat. The authentication token may be comprised of several pieces of hashed information, for example, the client's account identification (ID). Accordingly, the client ID may be extracted from the decrypted authentication token and once the authentication token has been successfully decrypted and found to be valid, return a status update (Interpreted as transmitting information for verifying the token from the heartbeat that includes health status). The authentication token may also be compared against a black list, and in the event that an entry exists for the authentication token in the blacklist, a status, for example, "403 forbidden" may be returned to the client, denying the client access [0024]); and returning the token to the endpoint for use by the user in accessing the secure service through the access control system (Ziskin teaches the authentication token may also be compared against a black list, and in the event that an entry exists for the authentication token in the blacklist, a status, for example, "403 forbidden" may be returned to the client, denying the client access [0024] (Interpreted as if the entry doesn’t exist the token is returned allowing access)).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Ziskin into the invention of Nayshtut-Eyal for the purpose of accepting or denying the heartbeat (Ziskin [0024]).
Re. claim 2, Nayshtut-Eyal-Ziskin teach the computer program product of claim 1, further comprising transmitting information for verifying the token to an access control system used by the endpoint to access the secure service (Ziskin teaches receive the authentication token and decrypt the authentication token as part of the heartbeat. The authentication token may be comprised of several pieces of hashed information, for example, the client's account identification (ID). Accordingly, the client ID may be extracted from the decrypted authentication token and once the authentication token has been successfully decrypted and found to be valid, return a status update (Interpreted as transmitting information for verifying the token from the heartbeat that includes health status). The authentication token may also be compared against a black list, and in the event that an entry exists for the authentication token in the blacklist, a status, for example, "403 forbidden" may be returned to the client, denying the client access (Interpreted as if the entry doesn’t exist the token is returned allowing access)).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Ziskin into the invention of Nayshtut-Eyal for the purpose of accepting or denying the heartbeat (Ziskin [0024]).
Re. claim 3, Nayshtut-Eyal-Ziskin teach the computer program product of claim 1 further comprising generating a defective token if the health status of the endpoint is unsatisfactory (Eyal teaches determine that an unauthorized software modification exists based on the heartbeat token, and activate at least one countermeasure [0010]).
(Eyal [0022]).
Re. claim 4, Nayshtut teaches a method comprising: receiving a heartbeat from an endpoint that is cryptographically secured, wherein the heartbeat includes a security status indicating a state of compromise of the endpoint (Nayshtut teaches the server 120 periodically validating the identity of the client 102 by requiring the client 102 to generate and provide a periodic signed client-heartbeat message that the server 120 can use to verify that the identity of the client 102 has not been compromised [0014]. Heartbeat is received and accepted [0023] Fig. 1 discloses network #130); receiving a request for authentication data for the endpoint (Nayshtut teaches validation can be accomplished using a client certificate that can be requested from the client 102, or through the use of a trusted directory or certificate authentication service to confirm the identity of the client 102 for the server 120 [0013]. client and create a session ID and token (e.g., a secure cookie for use with an encrypted session). Upon successful identification of the client by the server, at 204 the client may receive an indication that a session was successfully established [0017]).
Although Nayshtut discloses heartbeat, Nayshtut does not explicitly disclose but Eyal discloses evaluating a health status of the endpoint based on the heartbeat (Eyal teaches determines that the heartbeat token 40 is valid at block 111, it will then check the OS status message 42 at block 113. In some embodiments, the OS status message 42 may consist of a single bit. For example, a value of `0` may indicate that the operating system 28 is unmodified (i.e., the status is `OK`), while a value of `1` may indicate that the operating system 28 has been modified [0023]); generating authentication data if the health status of the endpoint is satisfactory (Eyal teaches the heartbeat token 40 includes the OS status message 42. The OS status message 42 indicates whether the operating system 28 has been modified [0018]).
(Eyal [0022]).
Although Nayshtut-Eyal discloses token and heartbeat including the health status of the endpoint, Nayshtut-Eyal do not explicitly disclose but Ziskin discloses transmitting information for verifying the authentication data to an access control system (Ziskin teaches receive the authentication token and decrypt the authentication token as part of the heartbeat. The authentication token may be comprised of several pieces of hashed information, for example, the client's account identification (ID). Accordingly, the client ID may be extracted from the decrypted authentication token and once the authentication token has been successfully decrypted and found to be valid, return a status update (Interpreted as transmitting information for verifying the token from the heartbeat that includes health status). The authentication token may also be compared against a black list, and in the event that an entry exists for the authentication token in the blacklist, a status, for example, "403 forbidden" may be returned to the client, denying the client access [0024]); and transmitting the authentication data to a recipient in response to the request for use in accessing a secure service through the access control system (Ziskin teaches the authentication token may also be compared against a black list, and in the event that an entry exists for the authentication token in the blacklist, a status, for example, "403 forbidden" may be returned to the client, denying the client access [0024] (Interpreted as if the entry doesn’t exist the token is returned allowing access)).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Ziskin into the invention of Nayshtut-Eyal for the purpose of accepting or denying the heartbeat (Ziskin [0024]).
Re. claim 6, Nayshtut-Eyal-Ziskin teach the method of claim 4 wherein the heartbeat is cryptographically signed (Nayshtut teaches the server 120 periodically validating the identity of the client 102 by requiring the client 102 to generate and provide a periodic signed client-heartbeat message that the server 120 can use to verify that the identity of the client 102 has not been compromised. A signed client-heartbeat message may include information related to a physical attribute of the client 102 that cannot be identified for reproduction and impersonation by a third-party (Interpreted as heartbeat) [0014]. Heartbeat is received and accepted [0023]).
Re. claim 7, Nayshtut-Eyal-Ziskin teach the method of claim 4 wherein the request is received from the endpoint (Nayshtut teaches validation can be accomplished using a client certificate that can be requested from the client 102, or through the use of a trusted directory or certificate authentication service to confirm the identity of the client 102 for the server 120 [0013]).
Re. claim 8, Nayshtut-Eyal-Ziskin teach the method of claim 4 wherein the request is received from a hardware token (Nayshtut teaches validation can be accomplished using a client certificate that can be requested from the client 102, or through the use of a trusted directory or certificate authentication service to confirm the identity of the client 102 for the server 120 [0013]. client and create a session ID and token (e.g., a secure cookie for use with an encrypted session). Upon successful identification of the client by the server, at 204 the client may receive an indication that a session was successfully established [0017]).
Re. claim 13, Nayshtut-Eyal-Ziskin teach the method of claim 4 wherein the recipient include the endpoint (Nayshtut teaches A client and server can be any combination of two or more machines, devices, processors, controllers, or other apparatus that may be configured to communicate securely over a network [0013]).
Re. claim 14, Nayshtut-Eyal-Ziskin teach the method of claim 4 wherein the recipient includes a mobile device (Nayshtut teaches a mobile telephone [0035]).
(Nayshtut teaches the server may validate the identity provided by the client with information local to the server [0021]).
Re. claim 18, Nayshtut teaches a security appliance for providing a multi-factor authentication verification method based on a secure heartbeat from an endpoint, the security appliance comprising: a network interface configured to couple the security appliance in a communicating relationship with a data network (Nayshtut teaches the instructions 524 may further be transmitted or received over a communications network 526 using a transmission medium via the network interface device 520 [0041]) ; a memory (Nayshtut teaches processor [0038]); and a processor (Nayshtut teaches memory [0038]) configured by computer code stored in the memory to perform the steps of receiving the secure heartbeat that includes a security status indicating a state of compromise of the endpoint from the endpoint that and wherein the secure heartbeat is cryptographically secured through the network interface (Nayshtut teaches the server 120 periodically validating the identity of the client 102 by requiring the client 102 to generate and provide a periodic signed client-heartbeat message that the server 120 can use to verify that the identity of the client 102 has not been compromised [0014]. Heartbeat is received and accepted [0023] Fig. 1 discloses network #130), receiving a request for authentication data for the endpoint through the network interface (Nayshtut teaches validation can be accomplished using a client certificate that can be requested from the client 102, or through the use of a trusted directory or certificate authentication service to confirm the identity of the client 102 for the server 120 [0013]. client and create a session ID and token (e.g., a secure cookie for use with an encrypted session). Upon successful identification of the client by the server, at 204 the client may receive an indication that a session was successfully established [0017]). 
Although Nayshtut discloses heartbeat, Nayshtut does not explicitly disclose but Eyal discloses evaluating a health status of the endpoint based on the secure heartbeat (Eyal teaches determines that the heartbeat token 40 is valid at block 111, it will then check the OS status message 42 at block 113. In some embodiments, the OS status message 42 may consist of a single bit. For example, a value of `0` may indicate that the operating system 28 is unmodified (i.e., the status is `OK`), while a value of `1` may indicate that the operating system 28 has been modified [0023]), generating authentication data if the health status of the endpoint is satisfactory (Eyal teaches the heartbeat token 40 includes the OS status message 42. The OS status message 42 indicates whether the operating system 28 has been modified [0018]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Eyal into the invention of Nayshtut for the purpose of guard against a replay attack (Eyal [0022]).
Although Nayshtut-Eyal discloses token and heartbeat including the health status of the endpoint, Nayshtut-Eyal do not explicitly disclose but Ziskin discloses transmitting information for verifying the authentication data to an access control system for accessing a secure service (Ziskin teaches receive the authentication token and decrypt the authentication token as part of the heartbeat. The authentication token may be comprised of several pieces of hashed information, for example, the client's account identification (ID). Accordingly, the client ID may be extracted from the decrypted authentication token and once the authentication token has been successfully decrypted and found to be valid, return a status update (Interpreted as transmitting information for verifying the token from the heartbeat that includes health status). The authentication token may also be compared against a black list, and in the event that an entry exists for the authentication token in the blacklist, a status, for example, "403 forbidden" may be returned to the client, denying the client access [0024]); and transmitting the authentication data to a recipient in response to the request for use in accessing a secure service through the access control system (Ziskin teaches the authentication token may also be compared against a black list, and in the event that an entry exists for the authentication token in the blacklist, a status, for example, "403 forbidden" may be returned to the client, denying the client access [0024] (Interpreted as if the entry doesn’t exist the token is returned allowing access)).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Ziskin into the invention of Nayshtut-Eyal for the purpose of accepting or denying the heartbeat (Ziskin [0024]).
Claims 17, and 20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nayshtut et al. (US 20130339736 hereinafter Nayshtut) in view of Eyal (US 20170026840), Ziskin (US 20170063947), and in further view of Kariv et al. (US 20110307947 hereinafter Kariv).
Re. claim 17, Nayshtut-Eyal-Ziskin teach the method of claim 4. Nayshtut-Eyal-Ziskin do not explicitly disclose but Kariv discloses wherein receiving the request for authentication data includes receiving the request at one or more of a cloud service, a firewall or a gateway (Kariv teaches If the user authentication and authorization succeeds, the access control gateway requests a security token from a security token service trusted by an access control component in the cloud and forwards the security token to the client computer [abstract]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Kariv into the invention of Nayshtut-Eyal-Ziskin for the purpose of to authenticate and/or authorize a user (Kariv [0008]).
Re. claim 20, Nayshtut-Eyal-Ziskin teach the security appliance of claim 18, Yet, Nayshtut-Eyal-Ziskin do not explicitly disclose but Kariv discloses wherein the security appliance is a gateway for an enterprise network (Kariv teaches Prior to granting access, the access control component in the cloud may verify that the security token is generated by a trusted entity, which may be the access gateway itself, or some other entity from which the access gateway obtained the security token [0023]).
(Kariv [0023]).
Claim 5 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nayshtut et al. (US 20130339736 hereinafter Nayshtut) in view of Eyal (US 20170026840), Ziskin (US 20170063947), and in further view of Gomes de Oliveira et al. (US 20190065747 hereinafter Gomes).
Re. claim 5, Nayshtut-Eyal-Ziskin teach the method of claim 4, Although Nayshtut-Eyal-Ziskin disclose heartbeat, Nayshtut-Eyal-Ziskin do not explicitly disclose but Gomes discloses wherein content of the heartbeat is encrypted (Gomes teaches the first heartbeat signal may be generated by encrypting the session identifier using SHA-2 [0037]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Gomes into the invention of Nayshtut-Eyal-Ziskin for the purpose of increase the complexity of spoofing the heartbeat signals and/or responses to the heartbeat signals (Gomes [0017]).
Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nayshtut et al. (US 20130339736 hereinafter Nayshtut) in view of Eyal (US 20170026840), Ziskin (US 20170063947), and in further view of Lakhani et al. (US 20180332033 hereinafter Lakhani).
Re. claim 9, Nayshtut-Tse teach the method of claim 4. Yet, Nayshtut-Tse do not explicitly disclose but Lakhani discloses wherein the request is received from a computing device other than the endpoint (Lakhani teaches first device 1002 (and/or second device 1004) may request user input of a personal user ID (previously generated by system 1000 during the registration process), and may receive the personal user ID via a user interface [0160]).
(Lakhani [0004] [0127]).
Claims 10, 12, 16, and 19 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nayshtut et al. (US 20130339736 hereinafter Nayshtut) in view of Eyal (US 20170026840), Ziskin (US 20170063947), and in further view of Tse et al. (US 20160188801 hereinafter Tse) .
Re. claim 10, Nayshtut-Eyal-Ziskin teach the method of claim 4, Nayshtut-Eyal-Ziskin discloses health status, Nayshtut-Eyal-Ziskin do not explicitly disclose but Tse discloses wherein the health status includes a health status of at least one of a file on the endpoint, a process executing on the endpoint, and a user of the endpoint (Tse teaches User data 245 includes data associated with one or more users of the client devices 106 and/or the peripheral devices 103. The user data 245 may include health information 109a stored in association with a particular user of a particular client device 106 [0034]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Tse into the invention of Nayshtut-Eyal-Ziskin for the purpose of satisfying health-related regulations and increasing difficulty of unauthorized decryption and/or access to the health information (Tse [0012] [0081]).
Re. claim 12, Nayshtut-Eyal-Ziskin teach the method of claim 4, Nayshtut-Eyal-Ziskin do not explicitly disclose but Tse discloses further comprising encrypting the authentication data (Tse teaches the data encryption service 218 is executed to encrypt data, such as health information 109, at the direction of the management service 215 [0026]. consent and authentication of the user may also be accomplished using a X.509 Certificate or a similar certificate. Further, in various embodiments, the key 233 may be protected by a public/private key pair issued by the management service 215 [0067]).
(Tse [0067]).
Re. claim 16, Nayshtut-Eyal-Ziskin teach the method of claim 4, Nayshtut-Eyal-Ziskin do not explicitly disclose but Tse discloses wherein transmitting the authentication data includes transmitting at least one of a text message to a mobile device of a user of the endpoint or an electronic mail message to an electronic mail account of the user of the endpoint (Tse teaches or in addition to transmission over the network 112 to provide additional security. For example, the key 233 may be communicated to a requesting service via email or simple messaging service ( SMS). Using the user-specific key 233 and the service-specific key 233, the requesting service 206 is able to decrypt the health information 109 for authorized access [0051]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Tse into the invention of Nayshtut-Eyal-Ziskin for the purpose of exchanging messages, Able to decrypt the encrypted information for authorized access (Tse [0051]).
Re. claim 19, Nayshtut-Eyal-Ziskin teach the security appliance of claim 18, Nayshtut-Eyal-Ziskin do not explicitly disclose but Tse discloses wherein the security appliance is a cloud service for supporting multi-factor authentication based on a secure heartbeat (Tse teaches the health information 109 as encrypted is further encrypted with a password (also referred to as "wrapped" or "key wrapped") by the management service 215 through the data encryption service 218 or a similar service. However, in various embodiments, encrypting the health information 109 includes decrypting the health information 109 prior to encryption by the computing environment 203. In some embodiments, the key 233 includes a double-encrypted key 233 with a provider-specific key [0050]).
(Tse [0012] [0081]).
Claim 11 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nayshtut et al. (US 20130339736 hereinafter Nayshtut) in view of Eyal (US 20170026840), Ziskin (US 20170063947), and in further view of Johansson et al. (US 20160164855 hereinafter Johansson).
Re. claim 11, Nayshtut-Eyal-Ziskin teach the method of claim 4, Yet, Nayshtut-Eyal-Ziskin teaches signature but do not explicitly disclose but Johansson discloses further comprising digitally signing the authentication data (Johansson teaches the authentication object may be digitally signed (thereby producing a digital signature of the authentication object) such that the digital signature is verifiable by the system that will cryptographically verify the authentication object [0019]).
Therefore, it would have been obvious to one or ordinary skill in the art before the effective filing date of the claimed invention to incorporate the features described by Johansson into the invention of Nayshtut-Tse for the purpose of verifying the authentication object (Johansson [0067]).
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. Hammad (US 20100327054) discloses secure communication using verification tokens.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to KEVIN A AYALA whose telephone number is (571)270-3912.  The examiner can normally be reached on Monday-Thursday 8AM-5PM; Friday: Variable EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Shewaye Gelagay can be reached on 571-272-4219.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.







/SHEWAYE GELAGAY/Supervisory Patent Examiner, Art Unit 2436